elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-21 21:17:00 +01:00
Code Issues Packages Projects Releases Wiki Activity

allow multiple users in 5.2.18 (#228)

Browse Source 
* allow multiple exception users for 99.5.2.4

* move clean up part of previous commit

* split clean up part of previous commit

* add tests for multiple allowed and denied ssh users

* fix script to correctly set multiple allowed and denied ssh users

* add cleanup resolved check to 5.2.18

* apply shellfmt to 5.2.18

---------

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
This commit is contained in:
lgaida 2024-01-10 17:07:02 +01:00 committed by GitHub
parent 5313799193
commit 730ab47437
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 108 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
bin/hardening/5.2.18_sshd_limit_access.sh
View File

@ -22,13 +22,13 @@ FILE='/etc/ssh/sshd_config'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'" OPTIONS=("AllowUsers='$ALLOWED_USERS'" "AllowGroups='$ALLOWED_GROUPS'" "DenyUsers='$DENIED_USERS'" "DenyGroups='$DENIED_GROUPS'")
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed!" ok "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do for SSH_OPTION in "${OPTIONS[@]}"; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
# shellcheck disable=SC2001 # shellcheck disable=SC2001
@ -53,7 +53,7 @@ apply() {
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install "$PACKAGE" apt_install "$PACKAGE"
fi fi
for SSH_OPTION in $OPTIONS; do for SSH_OPTION in "${OPTIONS[@]}"; do
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
# shellcheck disable=SC2001 # shellcheck disable=SC2001

105
tests/hardening/5.2.18_sshd_limit_access.sh
View File

@ -22,4 +22,109 @@ test_audit() {
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config" register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config" register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Check and report mismatch for allowed user
useradd -s /bin/bash johnallow
sed -i "s/ALLOWED_USERS=''/ALLOWED_USERS='johnallow'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
register_test retvalshouldbe 1
register_test contain "^AllowUsers[[:space:]]*johnallow is not present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correctly apply allowed user
# the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
"${CIS_CHECKS_DIR}/${script}.sh" || true
# and check again that the fix was correctly applied
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]*johnallow is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run fix_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all
describe Check and report mismatch for multiple allowed users
useradd -s /bin/bash janeallow
sed -i "s/johnallow/johnallow janeallow/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
register_test retvalshouldbe 1
register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is not present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correctly apply multiple allowed users
# the previous test checked that ALLOWED_USERS is set but not correctly applied in sshd_config so we apply it now
"${CIS_CHECKS_DIR}/${script}.sh" || true
# and check again that the fix was correctly applied
tail -n 5 /etc/ssh/sshd_config
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]*johnallow janeallow is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run fix_multi_allowed_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# reset allowed users to default before continuing
sed -i "s/ALLOWED_USERS='johnallow janeallow'/ALLOWED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
describe Check and report mismatch for denied user
useradd -s /bin/bash peterdeny
sed -i "s/DENIED_USERS=''/DENIED_USERS='peterdeny'/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
register_test retvalshouldbe 1
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*peterdeny is not present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correctly apply denied user
# the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
"${CIS_CHECKS_DIR}/${script}.sh" || true
# and check again that the fix was correctly applied
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*peterdeny is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run fix_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --apply-all
describe Check and report mismatch for multiple denied users
useradd -s /bin/bash marrydeny
sed -i "s/peterdeny/peterdeny marrydeny/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
register_test retvalshouldbe 1
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is not present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
describe Correctly apply multiple denied users
# the previous test checked that DENIED_USERS is set but not correctly applied in sshd_config so we apply it now
"${CIS_CHECKS_DIR}/${script}.sh" || true
# and check again that the fix was correctly applied
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*peterdeny marrydeny is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run fix_multi_denied_user_mismatch "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# reset to prevent other test from possibly failing in the future
sed -i "s/DENIED_USERS='peterdeny marrydeny'/DENIED_USERS=''/" "${CIS_CONF_DIR}/conf.d/${script}.cfg"
"${CIS_CHECKS_DIR}/${script}.sh" || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config"
register_test contain "^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config"
register_test contain "^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config"
run cleanup_resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
# Cleanup
userdel johnallow
userdel janeallow
userdel peterdeny
userdel marrydeny
} }